Bug 1340065 (CVE-2016-5097, CVE-2016-5098, CVE-2016-5099) - CVE-2016-5097 CVE-2016-5098 CVE-2016-5099 phpMyAdmin: Multiple issues fixed in 4.6.2 and (PMASA-2016-16,PMASA-2016-15,PMASA-2016-14)
Summary: CVE-2016-5097 CVE-2016-5098 CVE-2016-5099 phpMyAdmin: Multiple issues fixed i...
Alias: CVE-2016-5097, CVE-2016-5098, CVE-2016-5099
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1340066 1340068 1340069 1340070
TreeView+ depends on / blocked
Reported: 2016-05-26 12:04 UTC by Adam Mariš
Modified: 2021-02-17 03:49 UTC (History)
10 users (show)

Fixed In Version: phpMyAdmin 4.6.2, phpMyAdmin
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2016-11-28 14:35:30 UTC

Attachments (Terms of Use)

Description Adam Mariš 2016-05-26 12:04:02 UTC
Multiple issues were fixed in phpMyAdmin:


1. Cross-site scripting vulnerability (PMASA-2016-16):

A specially crafted attack could allow for special HTML characters to be passed as URL encoded values and displayed back as special characters in the page.

Affects versions 4.4.x (prior to and 4.6.x (prior to 4.6.2).

Upstream patches:

4.6 branch: https://github.com/phpmyadmin/phpmyadmin/commit/b061096abd992801fbbd805ef6ff74e627528780

4.4 branch: https://github.com/phpmyadmin/phpmyadmin/commit/b061096abd992801fbbd805ef6ff74e627528780


2. File Traversal Protection Bypass on Error Reporting (PMASA-2016-15):

A specially crafted payload could result in the error reporting component exposing whether an arbitrary file exists on the file system and the size of that file.

The attacker must be able to intercept and modify the user's POST data and must be able to trigger a JavaScript error to the user.

This attack can be mitigated in affected installations by setting `$cfg['Servers'][$i]['SendErrorReports'] = 'never';`. Upgrading to a more recent development commit is suggested.

Only git 'master' development branch was affected. No released version was vulnerable.

Upstream patch:



3. Sensitive Data in URL GET Query Parameters (PMASA-2016-14):

Because user SQL queries are part of the URL, sensitive information made as part of a user query can be exposed by clicking on external links to attackers monitoring user GET query parameters or included in the webserver logs.

As mitigation, avoid clicking on external links in phpMyAdmin which are not redirected through url.php script.

Affects versions prior to 4.6.2.

Upstream patches:


External References:


Comment 2 Adam Mariš 2016-05-26 12:05:07 UTC
Created phpMyAdmin tracking bugs for this issue:

Affects: fedora-all [bug 1340066]
Affects: epel-all [bug 1340068]

Comment 3 Adam Mariš 2016-05-26 12:05:14 UTC
Created phpMyAdmin4 tracking bugs for this issue:

Affects: epel-5 [bug 1340069]

Comment 4 Robert Scheck 2016-05-29 19:06:09 UTC
From what I get, upstream does not plan to address the flaw for phpMyAdmin
4.0.10.x series even it is affected:

 - https://twitter.com/phpmya/status/736096283606142976
 - https://twitter.com/phpmya/status/736096512556421122

Is somebody able to help here? Backporting the commits doesn't seem to be
trivial as upstream already stated.

Comment 5 Andrej Nemec 2016-05-30 06:58:39 UTC
CVEs were assigned to these issues.

PMASA-2016-16: CVE-2016-5099
PMASA-2016-15: CVE-2016-5098
PMASA-2016-14: CVE-2016-5097

Comment 6 Robert Scheck 2016-06-04 22:25:50 UTC
Upstream meanwhile backported fixes to 4.0.10.x series.

Comment 7 Fedora Update System 2016-06-21 20:47:20 UTC
phpMyAdmin4- has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2016-06-21 21:47:49 UTC
phpMyAdmin- has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.